RE: RADIUS PAP-SecurID Access-Challenge
I'm sorry, The other day I said that there is nothing "unusual" about SecurID RADIUS authentication. I'm so used to EAP, I forgot about the PAP auth with a SecurID value as a password. If the RSA Authentication Manager, finds that the token is in New Pin or Next Tokencode mode, it will issue an Access-Challenge message with the Reply-Message attribute explaining the next step. The client is expected to display the text, and prompt the user, then send another Access-Request with the response in the password attribute. This exchange can continue through several steps, until an Access-Accepted or -Rejected is received. Only a few RADIUS test clients can actually deal with this. I don't know (off the top of my head) which production clients we recommend. Of course, for the best security the EAP-POTP method is our recommended authentication protocol. Dave.
david@mitton.com wrote:
If the RSA Authentication Manager, finds that the token is in New Pin or Next Tokencode mode, it will issue an Access-Challenge message with the Reply-Message attribute explaining the next step. The client is expected to display the text, and prompt the user, then send another Access-Request with the response in the password attribute. This exchange can continue through several steps, until an Access-Accepted or -Rejected is received.
Only a few RADIUS test clients can actually deal with this. I don't know (off the top of my head) which production clients we recommend.
The pam_radius_auth module on FreeRADIUS.org was written specifically to deal with this situation.
Of course, for the best security the EAP-POTP method is our recommended authentication protocol.
I don't suppose you have server code to contribute? :) Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
On 11/28/2006 04:54 PM, Alan DeKok wrote:
david@mitton.com wrote:
...
Of course, for the best security the EAP-POTP method is our recommended authentication protocol.
I don't suppose you have server code to contribute? :)
The current code wasn't developed for portability, and still has a few "challenges". We are looking at some future possibilities in this space. Dave.
participants (3)
-
Alan DeKok -
David Mitton -
david@mitton.com